The term legacy in the world of information technology generally elicits an array of responses- -rarely positive. Few organizations, public or private, are immune to the effects of legacy systems in their technology environments. These legacy systems, business-critical systems that likely pre-date much of your IT workforce, pose challenges both in terms of operations and security. These systems can lock you into outdated processes, software and infrastructure, and typically not designed with current operational and security environments in mind. The cost to replace them is high and the risks they pose can be significant.
I am fortunate to serve as the Chief Information Security Officer (CISO) in the Commonwealth of Kentucky where we have insightful leadership that understands these risks and challenges and have taken positive steps to address them. From allocating funding for displacing legacy systems to modernizing infrastructure through industry leading consumption based and managed services, the Commonwealth has demonstrated a true commitment to evolving technology to empower a 21st century digital government. While we have already realized great risk and cost reduction benefits resulting from these efforts, the path to modernization is a strategic one that takes time. To manage the legacy risks as we continue down this path, we align our programs with the risk management and cybersecurity frameworks established by the National Institute of Standards and Technology (NIST).
Rising to the challenge of addressing legacy systems needs to have a foundation set on sound knowledge to support a comprehensive risk management strategy. A healthy risk management strategy must encompass impact, cost, and risk to effect informed decisions needed to reduce or to manage the risks legacy systems evoke. The NIST Cybersecurity Framework is a great starting point. As a widely accepted federal standard, the framework is well defined, organized, and documented, greatly easing its adoption in a complex technology environment. Divided into five disciplines and based on an easy to communicate maturity model, the framework is well suited for addressing legacy technology where effective collaboration between technology and business is required.
The first discipline, Identify, is where real intelligence is gathered to help drive critical business decisions regarding how to manage legacy technology. Looking at these systems through the lens of a well-defined Business Impact Analysis (BIA)and Risk Assessment(RA) sets the foundation. Gaining business insights through the BIA establishes system criticality, security, privacy, and regulatory concerns. Those, combined with the assessment of the operational, privacy, and security risks through a thorough RA, become the cornerstone upon which to build a strong risk management strategy for the system. With an additional cost analysis, the key stakeholders are fully informed to make decisions needed to achieve positive changes.
The Protect discipline is the point where information gathered thus far translates to action allowing your risk management strategy to focus on risk reduction. By ensuring you have strong access control mechanisms and processes, established information and data protection methodologies, and well defended system boundaries, you can manage risks, keeping them within the risk tolerance levels of the organization. This discipline also includes the often down-played but increasingly critical component of user awareness and training. In the current threat landscape, a well informed and aware workforce can be one of your most powerful defensive tools.
The next discipline, Detect, focuses on monitoring effectiveness of your operational and security controls. A legacy system, in a complex computing environment, can generate a large volume of intelligence information ranging from critical actionable events to simple informational items, which can be distracting. It is important to define what is critical and to employ the right monitoring processes and technologies. This ensures information needed to protect the security and integrity of the system rises to the top and gets in front of those who need to see and act on critical events. Applying correct analytics and filtering—both an art and a science—allows you filter out only the noise while prioritizing intelligence. This keeps your valuable resources honed in on the events that best result in reducing operational and security risk.
Now, we have gathered the right information about our system, employed a defensive strategy, and established our monitoring effectiveness, what do we do when an anomaly or incident occurs? The Respond discipline is where you define your incident response processes to ensure clearly defined roles and responsibilities. This includes a clearly articulated response plan along with well-known communication channels. This plan should be exercised periodically, during times when operations are normal, to ensure the response plan runs smoothly. When an event occurs, this is not the time to discover gaps in the plan. Pre-planning, exercising, and continuously strengthening the incident response plan prevents those gaps.
The final discipline, Recover, is where you employ the business continuity strategy to keep you in business. Building a business continuity strategy around a legacy system can have unique challenges. Since concern of legacy systems depends on what may be old technologies, you have to define a recovery strategy that is well detailed to ensure those dependencies are included at the right release level and version. For example, some components may not be able to be licensed or recreated at a down-level version. Or, some components may no longer be available or critical knowledge may be missing. These constraints make establishing a thorough and detailed recovery plan critical as is testing the plan to ensure that it can facilitate a complete recovery.
While the end goal is modernization, by selecting the right framework and executing the components methodically and thoroughly, you can manage the risks a legacy application can bring to your environment, while reaching levels of reduction that are within acceptable risk tolerance levels of your organization. Similar to the adage, “trust, but verify” -- always strive for perfection, but put in place the right strategies to get you there.